Kama Sutra Worm Could Make For A Bad Friday

mikey1134 writes "CNN is running a story about the Kama Sutra worm, a virus that is coded to overwrite files of the (potentially thousands of) infected computers. They provide some background on this viral outbreak and warn users to protect themselves" From the article: "And even for home computer users who have never taken such precautions before, security experts say now would be a good time to back up your most important data, like financial information and family photographs, to CDs, DVDs, zip drives, or an external hard drive that you know is worm and virus free. Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."

Many Aliases and More Info

[eldavojohn]

For references, these are the enumeration names and where to go to make sure you have the latest anti-virus signature. Remember, this variant will uninstall and delete most anti-virus software so it's important to recognize it before it goes active tomorrow. Most virus definition software refers to it as CME-24. This is important since this worm has many different names including Nyxem.E, BlackWorm, Grew and Mywife.E.

More on the worm and its permutations and statistics on spreading.

A very detailed analysis with all types of files that may be affected.

And, if it's worth anything to you, the Microsoft advisory which seems to tout that Windows Live Safety Center Beta can protect against it. If you're in charge of computer security at your workplace, I would send out an e-mail instructing everyone to verify that they have the correct anti-virus definitions and to scan their computers before leaving tonight. Luckily, that's not my job where I work.

Re:Many Aliases and More Info

[cinnamon+colbert]

like totally unhelpfull..I didnot understand a word of your post or the links

Surely, there is a simple answer to this question:
if i scan my hardrive tonighte with avg or macafee or norton, am i protected ?
where do i download the patch ?

if not, this surely demonstrates that the protection companies aint worth a tinkers damm

Re:Many Aliases and More Info

[rkrabath]

>> if i scan my hardrive tonighte with avg or macafee or norton, am i protected ?

Possibly yes, but also possibly not. This virus wil disable many common AV programs. My reccomendation would be to use a specialized scanner such as the one from f-secure: http://www.f-secure.com/v-descs/nyxem_e.shtml. I just used that one myself.

Re:Many Aliases and More Info

[j-cloth]

McAfee DATs 4642 and higher will catch it.

Re:Many Aliases and More Info

[Phillup]

You might be right... but he is representative of the average user.

So, while you scorn his 133t skillz... the point (which you missed) is legitimate.

Re:Many Aliases and More Info

[xeoron]

I would think one of the best solutions (along with backing things up) is to turn the system clock back a few days, until a proven removal tool can be used.

Re:Many Aliases and More Info

[Inda]

I know you're only trying to help but to answer the GP's post again.

Probably yes. That's a big 99.9% yes...

Yes, the Worm tries to delete anti-virus program files. Yes, tries to stop anti-virus software running at reboot. But if it's managed to do that, there's no way you're scanning your PC tonight anyway.

Update your definitions and scan now. Inform everyone you know not to open email attachments they weren't expecting.

Which brings me to another point: Do people really get hit with these anymore? It won't make it though all the major webmail services. You haven't been able to open *.PIF or *.SCR files in Outlook for years now. You almost have to go out of your way to get infected by email worms these days.

Don't get caught up in the media hype. This isn't another Blaster.

Re:Many Aliases and More Info

[operagost]

Just a guess, but I'll bet your computer's cup holder is broken.

Re:Many Aliases and More Info

[muszek]

[cut!] enumeration... [cut!] the latest anti-virus signature... [cut!] CME-24. ... [cut!] Nyxem.E, BlackWorm, Grew and Mywife.E.... [cut!] permutations ... [cut!] detailed analysis ... [cut!] advisory ... [cut!] Windows Live Safety Center Beta ... [cut!] security ... [cut!]

Nah, nobody needs that voodoo stuff. The virus only overwrites files of certain types. All you need to do is to turn off "show file extensions" option in Explorer to totally confuse the virus ;)

Sorry if I confused that option's name... I haven't touched a windows box in a while.

Re:Many Aliases and More Info

[genner]

Mod +5 funny, he's being sarcastic people.
I hope.

Re:Many Aliases and More Info

[muszek]

Mod +5 funny, he's being sarcastic people.

Last time I checked, I was not duped, thus I could only be a sarcastic person. But I wasn't sarcastic. There's a slight chance I could be wrong though - my grandmother just called me saying that she read my post and I could be wrong. She claims that my files haven't been overwritten only because the worm hasn't stroke yet. She also said that it's a scandal that her Ubuntu doesn't provide that ultimate security option.

Re:Many Aliases and More Info

[smeenz]

...so it's important to recognize it before it goes active tomorrow.

Timezones people... it was already 5 hours into "tomorrow" for New Zealand when you posted that message.

Apparently I'm not infected.. but then, I don't go around opening unsolicited attachments.

Re:Many Aliases and More Info

[smeenz]

//forgot to close italic tag

//even previewed it twice and didn't notice until after submitting.

Re:Many Aliases and More Info

[genner]

I'll ignore the grammar nazi'ism of your last post in vain attempt to stay on point. Turing off file extensions doesn't make them go away it just makes them invisible to you and only in windows explorer. If you want to see what the virus see's try bringing up a command prompt and type dir. Look at all those pretty file names that still have extensions on them.

Re:Many Aliases and More Info

[Fishstick]

>where do i download the patch

You don't -- there isn't one. This does not exploit a vulnerability in the OS. It exploits a vulnerability in those willing to click email attachments.

Re:Many Aliases and More Info

[jericho4.0]

/. has changed markedly over the years, but still keeps it's technical orientation. This has become more obvious, IMO, since the emergence of digg.com, a site with lots of tech news, but very n00bish comments. How about we keep /. the way it is, instead of trying to dumb it down? The links provided contain lots of usefull info. You might not understand all of it, but you might learn something.

Re:Many Aliases and More Info

[guyjr]

Plain and simple answer for AVG Free - If you've updated since Jan 16th, you're good to go: http://free.grisoft.com/doc/1

Re:Many Aliases and More Info

Surely, there is a simple answer to this question:
if i scan my hardrive tonighte with avg or macafee or norton, am i protected ?
where do i download the patch ?

I just emailed it to you. Click on the attachment to open it.

Re:Many Aliases and More Info

[Mahou]

so how do i know if i'm infected? any scanners? or files to look for?

Re:Many Aliases and More Info

[muszek]

I'm sorry if I offended you. Honestly, I didn't mean to. I kinda think that people that criticize others over something irrelevant are arrogant assholes. And certainly I don't like thinking of myself as an arrogant asshole, particularly if I'm not a native English speaker and make mistakes on a daily basis. I just found it funny that skipping one comma changed the meaning of your comment.

Back on the topic: wouldn't it be funny to make a website which would include a set of such idiotic security enchancements?

Re:Many Aliases and More Info

[cinnamon+colbert]

good point... IN the world of perfect posts, the parent would have had two parts, a for morons like me , and b for /.s...

Re:Many Aliases and More Info

[hesiod]

> How about we keep /. the way it is, instead of trying to dumb it down?

Absolutely, and if you don't understand something, read the comments. Chances are pretty good someone else didn't understand either and asked. Or if that hasn't happened, post the question yourself. That's why the comments section is here!

Re:Many Aliases and More Info

[jim_v2000]

Do people really get hit with these anymore?

You'd be surpised. I work for an AV company and the amount of calls we get from IT guys who have had "outbreaks" of this worm on their networks is astounding.

Like the guy in the article said, "There's no patch for user ignorance."

Re:Many Aliases and More Info

[WuphonsReach]

We've had a rule blocking .pif, .scr, and about 20 other extensions on our mail server for close to 4 years now.

That's not to say that it couldn't piggyback in on a laptop or via another e-mail account (or inside a ZIP file). But at least we reject all of the ones that we see on the mail server.

Even as a developer, I'd be hard-pressed to say why .pif/.scr attachments shouldn't be blocked at the gateway.

Re:Many Aliases and More Info

[minus9]

Perhaps someone could video an explanation using sock puppets and coloured blocks and post it on google video.

Re:Many Aliases and More Info

[WuphonsReach]

Absolutely, and if you don't understand something, read the comments. Chances are pretty good someone else didn't understand either and asked. Or if that hasn't happened, post the question yourself. That's why the comments section is here!

Heck, that's 90% of why I read Slashdot. Lightly filtered, somewhat useful comments from dozens or hundreds of individuals on whatever topic I'm trying to bone up on this week. (It's not my only source, but it often provides a good surface-level understanding of the topic. Enough to dig further into more detailed documentation.)

There's a lot of software that I probably heard about here first (PostgreSQL for one, anti-spam solutions, etc.).

Re:Many Aliases and More Info

[genner]

OK, for the record my original post assumed you where being sarcastic.
Unfortunately I teach basic computer skills to the ignorant masses
and know more than a few people who would come up with and actually rely on such "fixes". Still it would be funny to make a site like that.

Re:Many Aliases and More Info

[patiodragon]

Q: "Does Joe Sixpack read /. ?"

A: Not 'til I've at least had teh furth one!
        -Joe

Re:Many Aliases and More Info

[XchristX]

Step1:
Install linux, KDE & bitdefender/f-prot in an old pc

Step2:
Put it in your lan & boot into it

Step 3:
Launch smb4k & set your windows machine to share its entire C:\ directory

Step 4:
Look for the samba share of your c:\ in smb4k & mount it in ur linux pc

Step 5:
Update virus definitions in f-prot/bitdefender & scan share

Ste6:
Profit?

Obligatory Kama Sutra Comment

[sumi-manga]

Better back up that pr0n too! :P

Re:Obligatory Kama Sutra Comment

[Firehed]

Hmm... the STD of the 21st century. Maybe that whole e-Darwinism will work out after all.

Re:Obligatory Kama Sutra Comment

[minus9]

Excel spreadsheet pr0n, now that's kinky.

Re:Obligatory Kama Sutra Comment

[ShadowBlasko]

Good point, but I keep a lot of multiple-file archives in .rar, so that got my attention pretty quickly. My "Old data" archives, such as my domain backups are also rared. I keep those off the system, but I keep the most recent archive on hand for quick reference. /Backs up the Heather Carolin pics.

Your computer...

[bondsbw]

... really should have more flexible security.

Re:Your computer...

[TubeSteak]

There really is no reason to use the standard file names if you're just keeping the files within your system(s).

You can renamed ".doc" to any non-standard name and not have to worry about virii like this deleting them.

For a larger organization, it's just a matter of changing filenames, file associations and perhaps most importantly: make sure the icon transitions with the name change.

It might be a PITA, but there's nothing simpler than security through obscurity. Anything you do to change the behavior of the default Windows environment will make you more secure against generalized attacks.

Re:Your computer...

[AgentRavyn]

Nothing simpler but nothing weaker. Security through obscurity should not be suggested or implemented at any level. Ever.

The false sense of security that comes with it is more dangerous than the hole you're covering.

Re:Your computer...

[TubeSteak]

Then how come everyone always asks "did you change the name of the default admin account for your windows install"

The only reason virii are so successful is because of the homogeneous environment windows creates. If you can change that, you've made yourself a bit safer.

I didn't say it was the best way to secure yourself, but it will work.

Re:Your computer...

[nasch]

"Security through obscurity" doesn't mean "keeping things secret." Keeping passwords secret is obviously not STO. The same holds true of keeping usernames secret. It's just basic security practice, or at least it should be. You both have valid points. Changing things in a superficial way really will have a chance of reducing your vulnerability to some problems. However, it also has a chance of making some people think you're no longer vulnerable, and pay less attention to real security. My take is, if something is worth securing, it's worth securing properly. If it's only worth taking steps like you mention, then don't even bother - whatever it is you're securing isn't worth any effort. If you choose to do real security, then STO is just a waste of time - it won't add anything to what you've already done.

Just like I tell my wife when she locks the doorknob lock after locking the deadbolt. If you're going to lock the door, use the deadbolt. If you lock the deadbolt, the other lock isn't going to make the door any harder to open for someone without a key, only for someone with legitimate access. So don't bother.

Re:Your computer...

[TubeSteak]

That's funny you bring up deadbolts.

I always lock both, just in case some asshat comes by and tries to jiggle the doorknob.

A lock is only going to keep an honest person honest.

Re:Your computer...

[TIMxPx]

This is slightly offtopic, but the plural of "virus" is "viruses". I wish it weren't, but there is no recorded instance of a Latin plural for "virus". "Virii" would be the plural of "virius", which isn't even a word. Just saying.

Re:Your computer...

[JTorres176]

So if I have a document named OMG.doc, will it remain unscathed if I rename it OMG.wtf?

Re:Your computer...

[jasontheking]

OMGWTF.bbq should offer a higher degree of safety

Re:Your computer...

[WilliamSChips]

Locks keep lazy people honest where they wouldn't be so without the lock. To keep dishonest people honest, you need capabilities, and even those aren't perfect

Re:Your computer...

[nasch]

Locks don't keep anybody honest. A closed door is sufficient for honest people; for dishonest people you need a lock that is difficult to bypass. A casual dishonest person can bypass a doorknob lock fairly easily. A deadbolt is much harder to bypass without a key, particularly without attracting attention, so it's effective at deterring more determined criminals. That's exactly who you want to deter most, so why would you not throw the deadbolt? This analogy breaks down somewhat because the deadbolt is just as easy to use as the other lock. However, you can imagine that it's more difficult, like maybe you have to throw the deadbolt and then walk to the other side of the house and push a button to arm it. Lazy security is using the easy but ineffective lock, good security is the deadbolt.

As for somebody jiggling the doorknob, what does it matter? If you use the deadbolt, the door is still locked and they won't be able to open it. If they're able and willing to get past the deadbolt, then being able to jiggle the doorknob won't make a lick of difference. To go back to the other side of the analogy, if someone can get past your firewalls, etc and straight into your network and read files off your servers, what difference does it make what filenames you use? The attacker is obviously determined and effective, and a little misdirection won't do you any good. The most you'll end up doing is cause inconvenience for your own people and foster a false sense of security.

Write-once backups

[truthsearch]

The best backups are those written to only once. Burn to a write-once only CD or DVD. Don't back up to an external hard disk. As soon as you plug it in anything can happen, either from Windows itself or from malicious software (redundant, I guess).

In the old days we backed up to tape and flipped a switch so the tape couldn't be overwritten. Today it's burn-once disks. Don't trust anything but physical protections from disk writes.

Re:Write-once backups

[TubeSteak]

In the old days, we etched our words into stone tablets for safe keeping..

A destructive virus was when a sick person would start coughing so hard that they'd break tablets by knocking them over.

The cost of physical media was high & the write speed was slow. Back then, we went to a lot more effort to make sure that our backups stayed safe.

Re:Write-once backups

[charlesnw]

You evidently don't have a lot of data to backup. My nightly backups are almost half a terabyte. If I didn't reuse media, I would have a very hard time getting my budget approved. Media isn't cheap. 100 tapes is $10,000.00. Write once is nice but doesn't work in real life. Unless you have small amounts of data that fit on one TAPE or DVD. And if you have to store your backups (we have to store offsite for 7 years) you would be paying 2 arms and 3 legs in storage and handling fees.

Re:Write-once backups

[raddan]

You can always unplug a removable hard drive.

Re:Write-once backups

[truthsearch]

And when it's time to restore something do you not plug it in? What's the point of writing to a disk you can never safely read from?

Your response is something one of my old PHBs would have said.

Re:Write-once backups

[corbettw]

In the old days, we etched our words into stone tablets for safe keeping.

A destructive virus was when a sick person would start coughing so hard that they'd break tablets by knocking them over.

The cost of physical media was high & the write speed was slow. Back then, we went to a lot more effort to make sure that our backups stayed safe.

You forgot "And we were grateful!"

Re:Write-once backups

[operagost]

Come on, old timer; you can do better than that. Where's the inclement weather and extreme distance?

Re:Write-once backups

[Pope]

I'm sure the dyes involved are pretty specifically write-once, as there's a phase chage happening in the dye layer. If you had a laser strong enough the change that once written, chances are you'd destroy the thing first before even getting to flip the bits.

Re:Write-once backups

[AgentSmith]

I remember when I was a young program. Barely compiled I was.
And it took us 40ns to get from the Hard Drive across the BUS
to the CPU and then another 40ns to get to a memory address.
And this was in copper of 300 Ohms with EM static from an AM radio
next to us!

And we liked it! We loved it!

Re:Write-once backups

[SuiteSisterMary]

Not if you read the CD from a CD-ROM drive, rather than a CD-R or CD-RW drive.

Re:Write-once backups

I remember those days. There was this guy called Moses who had received some seriously important data on top of some mountain. He goes down the mountain, and he breaks the tablets. He didn't make backups, so he had to go back to his client and ask for a new copy of the data. Very embarrasing.

That should serve as a warning to everyone; always make backups. Especially with important clients like that.

Re:Write-once backups

[Arandir]

A tangental question: What do people use to backup nowadays? Everyone says to backup early and often, but what do ordinary everyday people actually use? The only consumer devices appropriate for this are CDs, so are people using CDs? Are they backing up every night? The old days where you stuck a tape in the drive and it backed up at 1:00am while you slept was great. But having to take a fifteen minutes out of every day to perform the backup sounds tedious.

Re:Write-once backups

[Phisbut]

but is it theoretically possible for a malicious program to turn that backup CD of yours into a disc of nothing but 1s?

Actually, according to the yellow book standard (which extends the red book standards for CD/ROM), a 1 is represented not by a "pit" or a "bump", but by the passage from one to the other (the edge of the pit). Therefore, it would be much easier to burn a whole lotta 0's (by burning pits everywhere) than a whole lotta 1's (which would require a perfect alternance between pits and bumps).

Re:Write-once backups

[bored]

My nightly backups are almost half a terabyte. If I didn't reuse media, I would have a very hard time getting my budget approved. Media isn't cheap. 100 tapes is $10,000.00.

Time to get current with tape, LTO-3 Drives are

Re:Write-once backups

[bored]

My nightly backups are almost half a terabyte..Media isn't cheap. 100 tapes is $10,000.00

What I was saying was that LTO-3 stores 400G uncompressed, the tapes are less than $70 and the drives are less than $2500. Sounds like its time for you to buy a new tape setup.

Re:Write-once backups

[mlush]

A tangental question: What do people use to backup nowadays? Everyone says to backup early and often, but what do ordinary everyday people actually use?

I think the answer is 'ordinary' people don't make backups. The make occasional copys of their data and hope for the best.

and I don't blame them... its very very easy to run up 20Gb of archives and there are few consumer devices that make backing it up easy (ie easy as in you stick a cartridge last thing at night and its finished by morning)

Personally I have an archive server and external hard disk, the server uses rsync to mirror copys of the archive tree on two internal and one extrenal hard disk and uses the --backup option to keep a version history of altered files. here is a rather good page on the subject. I also do regular full and incremental DVD backups

I rather liked the look of the new iomega rev drive a 35Gb removable disk system. However I understand that the cassette are basically little hard disk drives complete with motor and read heads this is great in that it keeps the dust out but I may as well use a USB hard disk as the cassette has all the same weaknesses. I'm currently pinning my hopes on blueray. The burned disks may only be stable for a few years but I'll be doing a full backup every month or so anyway and the backups only exist to recover from total disk failure

Re:Write-once backups

[kurzweilfreak]

This questions was brought up at the little 6 computer, 1 server company I work at. Trying to figure out a better way to backup our server's data than constantly writing to CD-RWs because they wore out too quickly. With Hurricane Katrina looming down on us, I realized that the day before it hit was not such a good time to find out that our backup practices weren't too ideal. Eventually bought a portable 40 gig USB harddrive, but before that I was using a 512 MB Sandisk jumpdrive for our backups, but I could never get an answer from the company on how reliable those sticks were and how many write cycles they were designed to handle. One source told me that they should be good for about 10 years worth of write cycles, but lately the stick seems to have started to be unreliable when being written to (it disappeared from the My Computer list while still plugged in or if it was there it showed 0 free space and 0 used space.) Thoughts? Comments?

Re:Write-once backups

[Jesus_666]

See. Back then we used to take all tablets and copy them onto a few clay-RWs. (Those were the days when you could backup a whole drive by dropping it in wet clay!) What the vendors didn't tell you was that by heating a clay-RW could be turned into a brick-R, thus making the data read-only (without any data loss, at least if you had the right burner). Not quite as stable as a stone tablet-R, but great for redundant backup copies.

Re:Write-once backups

[Triple+Click]

I'm sure it was fine. It wasn't like it was the end of the world or anything.

Re:Write-once backups

[Phat_Tony]

I don't know if this is an intentional or unintentional knockoff of Mel Brooks' The History Of The World, Part I.

Moses: The Lord, the Lord Jehovah has given unto you these fifteen...
[drops one of the tablets]
Moses: Oy! Ten! Ten commandments for all to obey!

Oh yes, this

[voice_of_all_reason]

This is the virus that MS has a patch from their fancy new Remote System Control program, right? Simply agree to download and blindly run any code they decide to send, let 'em take a peek at what you're running from time to time, and send regular status reports to the nice windows home base -- and then, we'll protect you from the nasty viruses!

And remember, kids... that's a nice computer. Would be a shame if something were to "happen" to it, you know what I mean?

Re:Oh yes, this

[jayhawk88]

And remember, kids... that's a nice computer. Would be a shame if something were to "happen" to it, you know what I mean?

I'm sorry, our records indicate that this joke was used no less than 17 times in yesterday's thread about this same topic. You are in violation of the Stale Internet Joke Act of 2004. Please refrain from any and all AYBABTU references and report to UseNet for remedial training immediately.

Re:Oh yes, this

[voice_of_all_reason]

I liked when I could go to Windows Update and choose which patches to install. Security Updates? Why yes, that sounds like a good idea. IE/WMP upgrades? Can't hurt. Whoa, what the hell is "automatic error reporting service?" I don't like the sound of that very much...

I recently had to format my hard drive and reinstall XP from a 1st-generation cd. When I tried to go to windows update, it demanded I upgrade both the Update program itself and set it to Automatic before it would allow me to get security patches. The huge size of the download suggested it was also trying to slip every released patch up to that point in as well. I declined, and opted to look out for my machine myself from then on.

The added system drain, privacy loss, and just plain patronizing hand-holding is just not worth it.

Re:Oh yes, this

[RobertLTux]

google around and you can upgrade the cd you have to current patch level (i think you need to get the sp2 update first then apply the patches) but you land up with a sp2+ patches cd + wahtever else you want

But but but we want a patch!!!

[Siberwulf]

"Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."

Half the articles i read yesterday about this said that the public was being screwed over becuase MS wouldn't release a patch.

The only patch for stupid is a swift boot in the ass.

Re:But but but we want a patch!!!

[GrumblyStuff]

Quite so. Who needs a patch when they got safe sources for porn?

Re:But but but we want a patch!!!

[plover]

Actually, this virus might BE the "patch" for stupidity.

"Hey, what happened to all my documents?"

"You opened a pr0n attachment in your email, you just got what you deserved."

"Boy, I'll never do that again!"

So, if these idiots are capable of any learning at all, this might work out to be a good learning experience for them. And if they're not, well, hey -- it's not my problem they're stupid.

Re:But but but we want a patch!!!

[diegocgteleline.es]

As far as I know, this is not a windows vulnerability. Users are just stupid and will open any executable with the word "kamasutra" in it. Make it a .desktop file and you have the equivalent linux virus...

Re:But but but we want a patch!!!

[ABoerma]

Two words: "file ownerships". Smart users won't lose anything. Stupid users will learn. Eventally. After having been complaining to their sysadmin for the nth time.

Re:But but but we want a patch!!!

[zlogic]

The only patch for stupid is a swift boot in the ass.
Only on Slashdot a comment like that will be moderated "4, Informative" ;-)

Patch? How about a brain patch!

[Sporkinum]

Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra.

How about a stupidty patch for opening up an attachment like the one described.

Re:Patch? How about a brain patch!

[toby34a]

I liked how in the article itself it said "There is no patch for user error." I call it removing their Banzai Buddy and smacking them upside the head with a keyboard.

Re:Patch? How about a brain patch!

[VENONA]

This virus is very 'old school', in both propagation and effects. It's pretty much everything users have ever been warned about. For *years*. Which also makes it pretty much the final, unassailable proof that you can't patch users.

Or the media. The linked article on CNN keeps referring to it as a worm, for instance.

I just think of it as evolution in action. Uninformed or unintelligent people lose. At this late date I find it impossible to have any sympathy for them.

It's more work for admins who have to clean up systems, yes. But that's part of the job. OTOH, considering the state of the job market, maybe this is all a Good Thing. Some people who largely deserve it get wounded, some other people, who also largely deserve it, stay employed.

I sense a certain karmic balance...

Better yet...

...transfer your important data to a new hard drive inside of a Mac.

But...

[Toby_Tyke]

Does it run on Linux?

Re:But...

[mebrelith]

A friend of mine sent me some docs and I found something that looks like this virus... I don't worry about it, I use Linux, so does my family and my office. Tested it on an isolated box and got nothing.

More Obligatory Kama Sutra Jokes

[fishdan]

So I guess Kama Sutra could put some IT professionals in some awkward positions

Re:More Obligatory Kama Sutra Jokes

[arpk4n3]

Talk about a new way to get fucked

Re:Will be a good thing

[LokiSteve]

Like they learned from Happy99?

Keep in mind all of those Dells that ship with time limited anti virus trial software. Even if people know they need virus protection, they may not know that it's expired.

friday? business as usual ...

[xlyz]

... being 100% on linux we'll work even during tomorrow

i have a patch

[tehwebguy]

just turn your computer off before midnight, and leave it off until saturday.

Re:i have a patch

[xlyz]

you can do better:

turn you pc to an other os and leave it on tomorrow as well

Re:i have a patch

[devils_taco]

i wonder if turning off the ntp time synchronization and changing the computers date/time to the 4th would work? seems easy enough.

Re:i have a patch

[The+Good+Reverend]

Right, because that's fantastic advice for the type of people who click on unknown attachments in their emails...

Congrats, you use Linux. It's be great if more people did, perhaps. But now you're just jerking yourself off, and it doesn't seem particularly helpful.

Re:i have a patch

[halltk1983]

seepr0n.sh

rm -rf ~/

This is almost as effective in Linux, as Kama Sutra is in Windows.
And if you ask who would run it... obviously these people...

Re:i have a patch

[telstar]

"Congrats, you use Linux. It's be great if more people did, perhaps. But now you're just jerking yourself off, and it doesn't seem particularly helpful."

Precisely the words you'd expect to hear from someone named "The Good Reverend".

Re:i have a patch

[apoc.famine]

Well, I resisted the switch for quite some time, due in part to "teh gamez!!!!". Now that my life is busier, and games don't take up nearly as much of my time, I've moved completely away from windows. However, I never would have made the switch if it wasn't for shit like this. I picked a hard linux flavor to jump into, (gentoo) but I learned a lot, and now I view stories like this with a fair amount of boredom and apathy.

I didn't switch to linux because of the philosophy, and I didn't switch because I'm some l33t h@X0r - I switched in part because I was sick of this sort of crap. In the last 9 months, I haven't worried about my AV program, I haven't worried about worms, and I haven't worried about clicking attachments. (Not that I clicked before anyway.) I haven't worried about visiting websites that were taking down IE and infecting windows machines. I emerge --sync && emerge -Du world on a regular basis, and all is well.

The point of this whole drunken ramble is that I used to be a regular windows moron (especially at college, in computer labs) who would click on stupid-ass shit, and visit malicious sites. While I was far from the worst, there were times when I did stupid crap online. The reason that I'm no-longer using windows is because of crap like this happening.

Saying "switch to another OS and get on with life" is exactly what I did - it is becoming more and more doable every week that passes. As the Intel Macs hit the market and (hopefully) drop in price, and as linux (especially Ubantu) continues to improve, leaving MS will be a better and better option for more and more people. When I first started messing around with linux 5-6 years ago, it was a pain in the ass, and I didn't have a lot of luck getting stuff to "just work". Lately, more has "just worked" than in a number of my windows installs. It's not some overnight revolution, but Linux and Mac are continuting to work for more and more people. And frankly, they are becomming real alternatives to the tried-and-true virus/worm madness which is Microsoft.

Re:i have a patch

[idonthack]

emerge --sync && emerge -Du

If you ever change your USE flags, it's a good idea to use the --newuse or -N option also, to recompile with the new stuff.

Re:i have a patch

[TheStonepedo]

Entirely offtopic, but as a waiter the only person to ever completely stiff me on a tip was an episcopalian priest. A priest said my service was "unforgivable." In a restaurant with a hostess to seat customers, he seated himself at a closed table in my section of the restaurant. I waited on him attentively from the first harumph, roughly 5 minutes after he seated himself, and that was not good enough to get a tip. If I had to place a bet on who would be a jerk with the options of a complete stranger or a reverend, I'd take the reverend every time.

Cheers!

Re:i have a patch

[apoc.famine]

Good to know, although I didn't choose Gentoo because I was some rabid optimization fanboy with overly agressive USE flags. I've got a handful of sensible ones, and they don't change often, if at all. But like I said, good to know regardless. Thanks.

Zip drives?

[Dr.+Sp0ng]

...to CDs, DVDs, zip drives, ...

What is this, 1996?

Re:zip drives?

[Slick_Snake]

I've had more hard drives, CDs, floppies, and tapes fail than I've had zip disks fail. I've only had one zip disk ever fail and it went through hell first. The cost of the disks kill zip not the reliability.

Strange...

[casualsax3]

Anyway I like how virus names are slowly getting edgier. Kama Sutra is a good one, but it'll be great fun when someone names a virus the Angry Dragon, Cleavland Steamer, or the Dirty Sanchez. I eagerly await the day when the words "Rusty Trombone hits America hard" grace CNN's frontpage :)

Re:Strange...

[Hillgiant]

How about the "My Wang" virus?

"My Wang has fully penetrated hundreds of thousands of systems," warn security analysts.

Re:Strange...

[barefootgenius]

Bird Flu would work better.

"And this morning Bird Flu rolled across America...Arrrrrgghhhh!"

Re:Strange...

[Damek]

I'll wait for "Raging Hardon".

Re:Will be a good thing

[charlesnw]

I'm sorry? It won't be super destructive? May I ask what you define as a super destructive virus? Overwrting the contents of all MS Office documents (not just deleting them) is extremly devestating. Even with backups the time it would take to restore the files would be a lot of downtime. Then you look at all the people who don't have backups. People and businessess. That could result in serious economic damage as companies are forced to re create there entire business. Was your post meant as a joke or...? You evidently have never had to recover from a virus infection of any magnitude. I have and its not easy. It takes time and its a race against the clock.

Re:No patch!!!! WTF

[Toby_Tyke]

Because the kids moving the stop sign were purposefully trying to cause harm. Microsoft didn't make Windows insecure on purpose. If MS could be charged for not securing windows, the Stop sign manufacturer could be charged for not making the stop sign tamper proof.

Also, I don't think computer viruses cause all that many deaths.

Hmm

[voice_of_all_reason]

As bad as this day? http://images.amazon.com/images/P/0689711735.01._S CLZZZZZZZ_.jpg

//mah favorite book

Re:No patch!!!! WTF

[PhilHibbs]

You mean this? The text says it was manslaughter, which is fair enough, and that it was overturned, or did you mean a different case?

Re:No patch!!!! WTF

[SCHecklerX]

It's not really a worm. What, exactly, is microsoft supposed to patch?

Re:Will be a good thing

[meringuoid]

I'm sorry? It won't be super destructive? May I ask what you define as a super destructive virus? Overwrting the contents of all MS Office documents (not just deleting them) is extremly devestating.

Sure. But I reckon gradually corrupting small parts of them is still worse. You might only realise you were infected months later, when the quarterly financial figures come out totally whacked, and you'll spend the rest of forever in the company of accountants and auditors trying to track down the correct figures.

Fragging out a file all at once? Then the victim realises something's up, gets the machine fixed, loses some work. Imperceptibly corrupting the file? Victim keeps spreading the virus, and every version of every file he works on is suddenly untrustworthy...

As long as you don't

[IAAP]

end up fucking yourself.

Clue About How To Detect Whether You're Infected

[Fleetie]

This URL would seem to provide some hints about how to check whether you're infected.
It mentions some registry keys that the worm sets up.

http://www.sophos.com/virusinfo/analyses/w32nyxemd .html

Re:No patch!!!! WTF

[InsaneGeek]

I wouldn't call it a Microsoft insecurity issue, but a stupid user issue. The user has to install it for it to work, the user actually has to be involved and allow it onto their box. The same type issue can be had for a Linux box and you don't even have to be a root user to be affected; someone emails you unknown app and like these windows dumbasses you run it can wack all of the Openoffice documents you have been using to write your disertation for the past year is gone.

A stupid user is stupid user, the article summed it pretty well: "Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance,"

Re:Great reporting, CNN

[HaydnH]

"As much as I appreciate the warning, hints on HOW to know if you're infected would have certainly helped."

As much as I appreciate your comment, hints on HOW to know if you're infected would have certainly helped.

So I don't get the same response to this comment, here's some links to Nyxem/Karma Sutra/MyWife (Whatever you wanna call it) removal:

- Symantec
- McAffee

Haydn.

Re:No patch!!!! WTF

[charlesnw]

Simple. The End User License Agreement absolves Micrsosoft of all responsiblity for defects including ones they have been NOTIFIED ABOUT. The entire security community is very good about informing the secure@microsoft.com team about vunerabilities. For that matter so is /. the WSJ and CNN. Every copy of there software ships with a get out of jail free card.

Re:No patch!!!! WTF

[Fishstick]

Try and get your knee to settle down and RTFA

Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no "patch" that can be downloaded to ward off Kama Sutra.

"This is something that is not inherent in the operating system," Sergile said.

"Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance," he said.

I like to jump all over Microsoft for their lax security and gaping vulnerabilites as the next guy, but this time it isn't an unpatched hole in office or RPC or something causing this.

There isn't anything you can do to protect your system from this worm, aside from not being dumb enough to click on an email attachment that says "free nekkid pikturs".

>Hopefully this worm will cause a bunch of monetary damage to some corporations

Apparently not, just horny/stupid military and home users:

Furst says the worm has spread to a lot of military addresses on the Internet (.mil), but mostly to ISPs (Internet Service Providers), meaning most of those infected are probably home users.

Then you have a bad setup

[truthsearch]

I've worked on large systems, including a multi-terabyte "data warehouse". No matter how big every system can get nightly incremental backups to save space. There is no way EVER you should be overwriting any previous backup. If you have that much data, and it's that valuable, you pay for whatever it takes to make every backup written once-only. Buy a set of drives or one drive with a large multi-disk feeder and pop in 100 7 Gb DVDs every night. Or better yet only do an incremental every night and a full weekly.

What's more expensive... write-once backups or the loss of all of your data? Pick one and good luck.

Re:Then you have a bad setup

[MikeBabcock]

For liability reasons I recommend exactly the opposite. Always do backups to destroyable media. Do media descruction runs after specific periods (3 yrs, 5yrs, 7 yrs, whatever applies to the information in question) and keep the media safe in the mean time.

For nightly backups, much of that data is only valuable if one copy is available. Do a full backup cycle or two and then start overwriting media. No need for last month's data (except the "month-end" backup), its out of date now.

Re:Then you have a bad setup

[charlesnw]

Incremental backups don't work for us. For a wide variety of reasons.

Re:Then you have a bad setup

[operagost]

Maybe you haven't worked with companies having fewer than 100 billion dollars in assets; but I provide software and services to credit unions and I assure you, they cannot afford to use a SLDT 320 GB tape once and archive it forever. The monthlies are (if they follow our recommendations) put away indefinitely, but that's about it. There is a reason to reuse tapes, and it's called "practicality." They couldn't open their doors to teenagers and low-income families if they had to do what you demand.

Re:Then you have a bad setup

[operagost]

Here's one: ever tried disaster recovery on a Saturday when your last full backup was Sunday? Takes some time!

Differentials are best when practical.

Re:Then you have a bad setup

[GigsVT]

Check our rdiff-backup.

You only do a full backup once, and the incrementals are stored as reverse deltas. It's really the only way to go with large datasets.

Re:Then you have a bad setup

[vinn01]

Always do backups to destroyable media.

All media is destroyable. There are shedders that can easily handle disk platters, CD-ROMs, DVDs, etc. The shedders are smaller versions of circuit board shedders that have been common to firms doing defense electronics since the 1950's.

Re:Then you have a bad setup

[Phisbut]

All media is destroyable. There are shedders that can easily handle disk platters, CD-ROMs, DVDs, etc. The shedders are smaller versions of circuit board shedders that have been common to firms doing defense electronics since the 1950's.

I prefer the good ol' flamethrower. A single tool that can handle various format of media, be it small, big, circular, onboard, paper, etc.

Re:Then you have a bad setup

[kurzweilfreak]

...on a Saturday when your last full backup was Sunday? Takes some time!

Not a problem because you already have that flux capacitor working that let you get your Sunday's backup into Saturday! You have all the time you need!

Oh, you meant LAST Sunday...

Re:Then you have a bad setup

[name773]

thermite is also an option, and more economical if you don't do it all that often.

Re:Then you have a bad setup

[TheNetAvenger]

What's more expensive... write-once backups or the loss of all of your data? Pick one and good luck

This whole thread is a bit bogus... Re-writable media can be locked, and quite effectively.

Just because the physical media is re-writable does not mean anyone can access the information let alone write over it.

Pick your FS of choice, and look at the security and encryption tools available. Heck even NTFS can be locked solid with encryption.

Re:Will be a good thing

[charlesnw]

True. Gradual corruption is worse but more difficult to do. With source control/revision tracking its almost impossible. And to date as far as I know there aren't any viruses that do this. I imagine if they do exist they are highly targeted payloads that attack specific companies. If the problem was widespread many organizations would report problems and an effort would be made to prevent infection. Although it would most likely be hard.

*We* may not need to worry...

[Robotech_Master]

After checking up on the virus through some of the links in the article...frankly, I would be surprised if most readers of Slashdot were affected. I thnk most Slashdotters are way too smart to engage in the sort of behavior (opening suspicious email attachments) that is necessary to allow infection.

I feel sorry for all the people who aren't, though.

Re:*We* may not need to worry...

[freakmn]

As true as that may be, many slashdotters are responsible for the computers of others. Some work in the IT field, some are the go-to guy for computer problems with friends and family. I'm both. It affects these types of people, perhaps even to a greater degree, since they have to figure out what's going on with not only their own PC, but that of dozens of others.

First Post!

I set my computer's clock 1 day ahead!

Re:First Post!

[smart_ass]

Don't you mean last post?
Need to set your clock back to get FRIST PSOT

Go Ask Alice

[RobertB-DC]

From TFA:
"So while you might think it is coming from cousin Alice, most likely cousin Alice is not going to send you something that says 'Hey look at these pictures with naked people.' So that should be your first clue that a virus is propagating and you'd be well served to call cousin Alice to let her know that she is [unknowingly] sending out this type of e-mail," Sergile said.

Mr. Sergile, you obviously haven't met my cousin Alice.

Re:Go Ask Alice

[Kiaser+Zohsay]

The really sad part is that it probably wasn't even cousin Alice who sent it, it was someone else who had both you and cousin Alice in their address book.

It could be worse. Alice could be your dad.

Re:Will be a good thing

[mwjlewis]

This one won't be super destructive, but a bit bad.

Maybe in your IT world it won't. That's great, but say that to the admin that has a user bring in a unsecured laptop, that brings down the email servers, gets them blacklisted. I'm sure that it won't be considered "a bit" bad when the exec's of the company want answers.... Anything that has the potental to damage/distroy data is destructive.

Searches Network Shares

[ObsessiveMathsFreak]

This one will be more damaging than people think.

A lot of SMEs uses unsecured and passwordless network shares for sharing company data. Data that is stored in, you guessed it, *.doc *.xls, etc, etc files. This virus looks for shared drives such as this and will corrupt the files on them tomorrow.

If only one PC in the company is effected, I can see a whole lot of sore heads tomorrow at lunchtime.

I guess I should have paid more attention to this one.

Re:Searches Network Shares

[VE3MTM]

Or what about a university residence network? I'm on one now, and there are a lot of computers here with open shares. Some have passwordless shares exposing their whole hard drive (I have no idea why). This worm could wreak havok on students here, deleting assignments or the like.

Re:Searches Network Shares

[Feebleminded_Genius]

Agreed. I've been chasing this down on our corporate network all week.

I installed this virus on a test network last night. It was ugly to say the least. The test network was comprised of 5 clients, 1 DC, and 1 file server. When I ran the email attachment on a client, it immediately froze, consistent with the description on F-Secure. Upon rebooting with monitoring on, it launched numerous processes, and disabled Symantec immediately. Within 4 hours it had infected the other 4 clients & the file server.

We then flipped the switch on the DC & set the date to 2/3/06. Update.exe launched half an hour after login, and within 4 hours all .docs, .xls, .mdb files etc were corrupt on the local machines and the file servers.

Note that this test was performed with out-of-date virus defs as a test.

Here's an idea for those in a corporate environment. Create a software restriction policy for the executables associated with the virus:
%systemroot%\system32\scanregw.exe
%systemroot%\system32\update.exe
winzip quick pick.exe
winzip_tmp.exe

We did this in our test environment and it halted the virus completely.

Re:Great reporting, CNN

[Jonesy69]

In other news IT professionals are clamouring to their CPA's asking if condoms, oils, edible underwear, chiropratic bills, candles, rose petals, personal lubricants, aphrodesiacs, and sex toys can be itemized deductions...

patching user ignorance

[gnujoshua]

"Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance,"

Isn't the purpose of this article to patch user ignorance?

If I were more creative, and funnier, I would come up with many witty and similar analogies to the phrase "patching user ignorance." :-)

Re:patching user ignorance

[Crazyscottie]

Isn't the purpose of this article to patch user ignorance?

You know, the saddest part is that the only people who will learn about this virus in time to do anything about it are the ones who are least likely to have become infected in the first place.

Re:patching user ignorance

[MadMidnightBomber]

If I were more creative, and funnier,

Ironically, any post with something like the above in it always gets modded +5 Funny.

free pr0n for the gulible masses

[madnuke]

Free smut is a yes yes for workplaces you can imagine it, 'hey look free porn' 'open it! lets see some hot school girl action' 'oh well nothing there, look at the time see you all tomorow' friday 3rd... 'hey where are all my files? The servers, network drives all gone!' Dust off your tape drives and press the rewind button tonight.

Anyone else calling in sick tomorrow?

[digitaldc]

I feel a sudden illness coming on, could be a virus.

Re:Anyone else calling in sick tomorrow?

[gbrandt]

It's worms.

Re:Anyone else calling in sick tomorrow?

[thePowerOfGrayskull]

I'd feel sick too, if I was one of those stupid enough to click on the attachment.

Re:No patch!!!! WTF

[maxwell+demon]

A stupid user is stupid user, the article summed it pretty well: "Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance,"

Actually there is a patch for user ignorance. It's called user education. The problem, of course, is that ignorant users are usually also ignorant on their own ignorance, and therefore don't apply this patch.

Re:Mainstream media are catching on...

[Alistar]

That, or the "Windows = Computer" is so engrained in people that they use it interchangably without notice.

Even if they are trying to differentiate. It won't affect Joe Consumer, he will just associate windows with computer anyway.

Re:Possible GNU/Linux Virus Writer

[Changa_MC]

Ah yes, because there were no windows viruses before linux.

CME-24 aliases, information, and removal tools

[Futurepower(R)]

Here's how to know the difference between a money-making press release, and an honest story: The press release says "Fear, fear, fear!!!"

The honest story gives you links to tools for eliminating the threat: You can run this tool: W32.Blackmal@mm Removal Tool, which apparently removes all variants of the worm.

Here are manual instructions: WORM_GREW.A, Also known as: CME-24

Here is the list of names of the CME-24 worm, and links to removal methods: CME-24 aliases, information, and removal tools.

well, now we know who's behind this virus

[tralfamador]

security experts say now would be a good time to back up your most important data, like financial information and family photographs, to CDs, DVDs, zip drives, or an external hard drive that you know is worm and virus free

the media storage industry.

good work guys.

Re:God your stupid

[BoRegardless]

And I quote "God your stupid".

I rest the case defined in the message heading as a case of Slashdot user self-flagellation, which is not a part of the Karma Sutra.

Come on now...

[VikingThunder]

"And even for home computer users who have never taken such precautions before" You mean an updated antivirus program? You would think after the thousands of worms that everyone would learn by now, especially those who know they have a tendency to click things for no reason.

Re:Come on now...

[Frobisher]

True. In ancticpation I downloaded a lovely new anti-virus program from a nice email that happened to land in my inbox.

Subject was :
"Ar3 yoo safe? Get l4test anti-v1ru5 softw4r3 packge n0w!"

Look out for it! Its great!!

Re:Did we just slashdot AntiVir updater ?

[OverDrive33]

Im having the same issue.
Although they have AntiVir 7 out and I just found out about it (and upgraded all the machines on the company LAN), so it might be just the influx of new users upgrading to version 7.... unless 7 has been out for a while and I was just in the dark.

SAMBA shares affected?

[roe-roe]

Any ideas if it will only attach files on local machines ore will it traverse to network shares of course only the ones without security?

Re:SAMBA shares affected?

[tinpan]

I'd like to know the answer to this, too.

Anybody know?

Re:SAMBA shares affected?

[NetCow]

It will most certainly affect any writeable permanent redirected shares, AKA mapped drives, since the whole point of mapped drives is to create something that looks like a regular local storage volume.
It will *probably* walk the local network and affect nay shares it can access.
But - why take the chance? Always assume it will affect anything it could possibly write to.

Re:Dupe??

[halltk1983]

This is because, while it may have been posted before, this is very helpful for some of us who are looking for resources to make sure we are covered in the last day before the attack. If it wasn't for the links I got off slashdot, I couldn't get my PHB's to approve my time to verify everything. Thus, an article is not a "dupe" if it is still useful. Hence, your complaints are offtopic.

As was this.

ASSUMING:

[newr00tic]

Only assuming that the so-called "stupid person" understands that it was _this specific virus_ that did it, and remember what was done _on his part_ for it to end up this or that way.

Heh

[ErZo]

"im not a virus...lol" *delete, Format C:* "Okay, i am now :)" Sorry *ducks*

Re:No patch!!!! WTF

[advocate_one]

you really, really have to work at it to fuck up a Linux box... with windows, just going online can be enough...

Re:Clue About How To Detect Whether You're Infecte

[noidentity]

Even simpler: press control-alt-delete. If your computer does nothing, you're safe.

Even better

[databyss]

CasualSax's Rusty Trombone pounds the US in the IS.

Re:Will be a good thing

[operagost]

Imagine a worm that quietly changes every instance of a certain word. For example, changing "earnings" to "B.S." and "mom" or "wife" to "shrieking harpy."

Why panic?

[diorcc]

Why all the panic really? Can't a decent firewall stop the "injection" of this virus through a service/hole? Its a worm we're talking about after all... Just watch what you download/run keep the shields up and you should be fine. I've never been affected by any worms, but always had a properly configured firewall.

Re:Best explanation ever:

[Overly+Critical+Guy]

Hey, this isn't Flamebait, it's true. You can make whatever arguments you want (smaller target size), but Macs have been impervious to every big, newsworthy Windows virus in the past five years.

Do you realize how funny it becomes after the seventh time a big-time worm goes around in the Windows world and you're unaffected? When Blaster was rebooting the world's computers, when Code Red was making the rounds, when the WMF flaw was making people afraid to view email or visit unfamiliar websites, Mac users have just shaken their heads and kept on running. This Friday will be the same.

It's amazing the American economy has come to rely on something so unreliable. I switched my office to Mac last year because life is too short for this shit.

Ok guys, seriously there's an easy answer.

[jonfields]

Step 1: Go into Date and Time properties Step 2: Click on Internet Time tab Step 3: Uncheck Automatically Synchronize Step 4: Click on Date & Time tab Step 5: Change the date to the 4th (saturday) Step 6: Click OK Step 7: Wait until it really is saturday and turn automatically synchronize back on. I'd reccomend this for everyone, whether you think you have it or not, just to be on the safe side.

Re:Ok guys, seriously there's an easy answer.

[Linker3000]

That's right - and all our medical notes,, drug dispensing and consultation histories will have the wrong date which will cause absolute chaos!

Re:Ok guys, seriously there's an easy answer.

[Fzz]

Don't forget to do it next month on the 3rd too. And the next. And the next....

Re:Clue About How To Detect Whether You're Infecte

[lostboy2]

F-Secure has details about this too.

Using the REG utility in WinXP or Win2K Resource Kit, it's not too hard to write a script to scan your PC's registries for this key. Something like

for /f %%i in (computerlist.txt) do (
        echo %%i >>scanlist.txt
        reg query \\%%i\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersi on\Run /s | find "ScanRegistry" >>scanlist.txt 2>&1
)

then look in scanlist.txt for any 'hits'.

Oh leave off it

[Sycraft-fu]

There's no patch because it's not a vulnerability, it's a virus. The only thing you can patch is the users that still won't follow directions and not open executable attachments. The OS is working as intended when it executes code you ask it to, which is how this virus gets on.

This "OMG MS won't patch t3h systems!!!11" stuff on Slashdot is getting old. No, they won't patch it because there's nothing to patch. Duh. They have decided to add it to the malicious software tool, which is a mini virus scanner akin to Stinger from Mcaffee, which scans for a limited subset of viruses, but that's not a patch. Windows OneCare, which is NOT a remote control system by the way, does find it because, well, it's a virus scanner just like any other. It catches it just like AVG, F-Secure, Norton, and so on, which is to be expected as it's a competitor.

So let's leave off the bullshit ok? There are two easy methods to prevent this from hurting your system:

1) Don't run random programs that some with e-mails. If you use Outlook Express, it'll even tell you not to (twice).

2) Get a virus scanner. Doesn't need to be MS's, there are many good ones out there. I recommend AVG, it's fast and free.

Re:Oh leave off it

[whitehatlurker]

The only thing you can patch is the users

The lament of almost every I.T. worker.

Re:Oh leave off it

[sootman]

"Don't run random programs that some with e-mails. If you use Outlook Express, it'll even tell you not to (twice)."

Super. That will take care of it. </sarcasm>

I use OWA and this is next to every single attachment: "Attachments may contain viruses that are harmful to your computer." Gee, thanks. When users see that next to every single word doc, PDF, and JPEG they get on a daily basis, they start ignoring it. If everything is a threat, nothing is a threat.

Re:Oh leave off it

[Sloppy]

No, they won't patch it because there's nothing to patch.

Have they removed MS Outlook's ability to execute attachments?

Clamav

[Ween]

I have tried to find out if clamav will detect this virus with no positive results. Does anyone know the status?

Re:Clamav

[ronaldb64]

"Clams have Anti-Virus software!!!!"

Re:No patch!!!! WTF

[LurkerXXX]

It's not really a worm. What, exactly, is microsoft supposed to patch?

Anyone infected is supposed to download a revolver and shoot themselves in the head for being stupid enough to open an unknown attachment.

Don't I wish

[Sycraft-fu]

Here's my idea:

We setup a room. The door to the room says, in every language "Danger! Do not enter". Inside they'll be a cage you need to open, again with keep out warnings. Inside the cage will be a button that says "Warning: Do not push the button, death will result!". If you push the button, you die. We come in once a week or so and clean out the body.

My guess is any person likely to push the button is also the kind that'll open random attachments despite being told not to by us, the OS, their virus scanner, etc.

Problem solved :D

Re:Don't I wish

[ABoerma]

If only it were death switches... Natural selection, back with a vengeance.

Re:Don't I wish

[Afrosheen]

You have to have a door that leads down a hallway to the Danger door. The original door will be placed in public, near a busy pedestrian intersection (like a mall entrance, subway entrance, etc.). The original door should have a variety of interchangeable labels that will be written by spammers. For example, "Sex l1fe missing spark? Look inside!". The door is to remain unlocked at all times. This trap will get two type of people, who scientists will find are one in the same.

  1. People that actually open, read, and purchase from spam.
  2. People that open random attachments from strangers.

Re:Don't I wish

[StikyPad]

Well, the sign should be on the case covering the button. The button itself should read "Press me to play fun games and/or look at hott pix."

Re:Clue About How To Detect Whether You're Infecte

[HogGeek]

You SOB!

My linux system just rebooted....

Re:No patch!!!! WTF

[pe1chl]

This is of course not true. It is quite possible to protect your systems against worms and other mishaps like this.

Learn a bit about security and limited user accounts. Make sure that normal users cannot write to directories like %programfiles%, %system% and %windir%. Don't allow users to work as administrator.

Install a service like TrustNoExe. Set it up so that executable programs are only allowed in %programfiles% and %windir% (and other directories that normal users cannot write, and that you use to store programs).

Now, when a user receives a program in mail or downloads it from the internet, it cannot be executed. Storing it somewhere in his writable directories (Documents and Settings directory, networkdrives) is possible but it just cannot be started.

It does not require user education, just an educated administrator.

Re:Best explanation ever:

[nolife]

but Macs have been impervious to every big, newsworthy Windows virus in the past five years.


Well no shit. My Ford has been impervious to every big, newsworthy Chevy recall in the past years.

The Kama Sutra

[Randall311]

"There is no 'patch' that can be downloaded to ward off Kama Sutra."

That's right. Once you get the Kama Sutra, you're fucked!

Re:Mainstream media are catching on...

[Overly+Critical+Guy]

This isn't off-topic; it's an important distinction that should be encouraged. CBS News went so far as to not only characterize the worm as a Windows-only worm, but also mention that Macs were unaffected.

People need to be told that it's not a "computer virus," it's a Windows virus.

Re:Best explanation ever:

[WurdBendur]

It's good to be using a Mac when the virii and worms come around, but if the world had chosen Macs instead, they'd be the ones under attack.
As much as I love my Mac, I don't think it's technically any more difficult to attack. It's just that people don't bother writing malware for such a small percentage of the market.

I am waiting....

[LinuxRulz]

I have no idea of what this worm is nor do I care. From the top of my linux box it'll be another friday like the others, where I may have the pleasure to see more Win users complain about their OS, without them doing anything to change OS.
It may be a bit cruel, but I'm already impatient to say my old "I told you so!" to everyone who wouldn't do the switch to linux.

zip drives?

[Ars+Dilbert]

Say WHAT? The idea behind backups is to make your data storage more reliable, not less.

Re:No patch!!!! WTF

[Fishstick]

It's not true!!?? There's a patch!!??

No, I get what you're saying. I was responding to the OP that it was Microsoft's fault that there was not OS patch available and that this left users vulnerable.

I guess if I had a chance to edit my post, I would have worded it a bit differently.

There isn't anything you^H^H^HMicrosoft can do to protect your system from this worm

Worm, isnt that an errenous description?

[Rodong]

It's a regular email attachment virus, nothing wormy about that. "The main difference between a computer virus and a worm is that a virus can not propagate by itself whereas worms can" This requires Stupid user interaction, without it it wont spread and do it's shitznitz. Anyhow, i would say that anyone still running windows, clicking attachments left and right, should in all honesty not be on a account with system rw privs. Hell, i regard linux as somewhat secure and I still dont run as root or superuser lest i'm trying to upgrade stuff or change the system.

Re:Clue About How To Detect Whether You're Infecte

[zippthorne]

Wait.. How long as windows done bash scripts?

Sounds like...

[e_slarti]

... a weird STD.

"Dood, that raver chick gave me the KSW last night and it's been itching all day!"

I guess the Kama Sutra Worm STD might have more positions, but the Tantric Worm lasts longer.

"We now return you to your regular slashdot blather"

There is a Patch....

[Karaman]

...called GNU/Linux OS
Windoze is no more than a game platform and should not be used as other tool if you are smart enough :)

Re:God your stupid

[OldSoldier]

Not to mention "insight a panic"...

if I had insight as to what causes a panic then perhaps I'd learn how not to INCITE one.

But one mistake makes me think the original poster is an idiot. Two mistakes like this makes me think the original poster was trying to be funny. Who knows?

Something revealed

[Grrreat]

Paste this in Word 'DATA Error [47 0F 94 93 F4 K5]', select the charators '47 0F 94 93 F4 K5' and change the font to Wingdings. The virus harms data, and can disable mouse and keyboards.

So who's calling in sick tomorrow?

[brouski]

I know I am!

Ummm--didn't we talk about this yesterday

[wile_e_wonka]

But at least yesterday one of the first posts gave this link:
http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife#Aliases
Note that this link provides a REMOVAL TOOL. I guess Microsoft doesn't have some sort of conspiracy against unpaying customers after all.

Re:Did we just slashdot AntiVir updater ?

[n54]

Lol I think we did but just try again: it updated now (at least in Europe).

Oh this should be interesting

[kilodelta]

Our users have had it pounded into their heads never to open attachments on messages with odd subjects.

But I'm just waiting to see who the pervs are. This should be interesting when someone comes to me and says their files have been deleted. Hmmmm.. and what were you trying to look at.

Re:Best explanation ever:

[Ithika]

I'm curious. If the "head of Macintosh products at Symantec" says that OS X hasn't had any viruses... what does he do? Why do they sell Macintosh AV software?

Do people pay for "peace of mind", and regularly download completely empty virus definition files? ;) I'm sure people would buy it if they did, but I'm assuming they do other things as well.

Turn back the clock

[RyoShin]

The article states that the virus executes on the third of this month (tomorrow.)

Why not just wind back the clock?

I'm serious. I've fooled many a shareware program that locks the program after x days by setting the date back to when I first installed it (or even earlier, which makes for some funny notices.)

Unless the Kama Sutra virus is programmed in such a way as to store the date and time installed, and then keep track of every (milli)second that's past, and execute once enough seconds have passed to put it on the 3rd, I would think you could easily fool it by simply changing the date on your computer back a week or two. If you're really anal about calendars, you can find a year where the months start on the same day.

Yes, this would mess up some other programs that use the computer's date, but temporarily wonky programs are better than completely deleted files, no? So, set the clock back, and wait until Microsoft finally releases their patch or whatever, if you're afraid that another virus scanner hadn't caught it.

Re:Turn back the clock

[RetroGeek]

store the date and time installed, and then keep track of every (milli)second that's past,

Or simply check an Internet time source.

Re:Best explanation ever:

[MuckSavage]

They prevent the spread of windows viruses to their windows using friends and coworkers.

Macs way be immune to windows viruses, but they can still pass them along.

Patch?

[Rihahn]

"Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."

As the T-Shirt says: Social Engineering - Because there is no patch for human stupidity...

Is this conversation actually happening?

[CrazedWalrus]

Hah!! *shakes head*

muszek: How long are you gonna lead this guy on? His sarcasm detector is clearly out to lunch.

Re:Clue About How To Detect Whether You're Infecte

[toadlife]

It's "batch", not "bash".

Re:Mainstream media are catching on...

[xhrit]

I'd rather they were told it was a 'microsoft virus'. I would hate to read the headlines and think I needed to rush home and patch x11r6.

Nobody seems to care about this

[IHateSlashDot]

I just checked all of the virus sites and they are all on 'green' alert level saying that there are not even an moderate threats out there right now. Either this has just been blown way out of proportion by CCN (slow news day) or all of the security companies think they already have this one solved.

Our IT department is taking no action since there is no elevated threat level.

Solution: We need a patch for user ignorance!

[ehud42]

The CNN article has a great quote:
Unfortunately, there is no way to patch user ignorance...
I love it - might become a .sig of mine someday....

Well, it's Friday morning here in Australia...

[kevingolding2001]

...and I have just fired up Word and Excel and everything still seems to be there.
Oh wait, I'm on a Mac.... Never mind!

Re:The OS is working as intended -- vulnerably

[Sycraft-fu]

They can't hide that they are apps. Windows will warn you that it's an app, and tell you not to run it. You don't need to run as an admin to run Windows. We have hundreds of computers in the department which users do not have admin access on. People run as admin because they are lazy. Besides, if your e-mail client saying "Warning, this could be a virus don't run it" and then your OS saying "Warning this oculd be a virus don't run it" isn't enough, changing the OK to a password field isn't going to do any good.

Re:Will be a good thing

[vishbar]

Exactly. This reminds me of an article I once read on bio-warfare. It mentioned that Ebola wasn't as dangerous of a bio-warfare agent because, even though it's highly lethal, it knocks out its victims extremely quickly--by the time you become contagious, you know you have it. A disease such as Smallpox, however, was far more dangerous--victims could be infected and contagious without knowing they had the disease, leading them to spread it to others.

I'm recalling this from memory, so the disease names may be incorrect. But you get the concept :).

I just laugh at the whole mess

[Kunt]

I have Mac OS X 10.4.4 om my desktop machines and Ubuntu on my IBM laptop. Life is good. :)

Re:Great reporting, CNN

[Fulg]

WTF?!

It seems some moderators are having fun at my expense. Two posts moderated down to 0? Can someone explain? (Honestly, I'd like to know)

My (GP) post was on topic, and was valid criticism (which is, the CNN article does little to explain how to know if you're infected).

Am I safe?

[Arandir]

I'm using FreeBSD, am I safe? I think I am, but with all the panic swirling around over this issue, I'm not sure. Some guy just ran past my cubicle screaming, "no one is safe!"

Software industry needs reform. No - revolution

[Max_W]

Well, I am not amused by all this hoop-la.

In aviation the US system prevails. The altitude of the flight is still measured in medieval feet, something like 33600. In normal scientific metric system it is 9600 meters.

As my professor said: "It is the shame to enter 21-st century with the Imperial System of Measurement". Still we did.

I blame the US archaic technological system of doing things. This is the reason of these endless vulnerabilities.

It is impossible to work like this. I think the UN has to create the International Body and come out with the Open Source Secure OS, based on the understandable scientific System of Measurements. The humankind shall not be the hostage of an undereducated Bill or whomever. We shall aspire to the modern secure computing.

Re:Software industry needs reform. No - revolution

[anubi]

Let me throw another mudpie in the pot.

As much as I would like to smear Bill Gates and Microsoft with this whole sordid affair of finicky unrobust computational infrastructure, the avenues are there to pick on Linux, or any other system based on our present hardware just as easy, by tricking the user into installing crapware, just as we often sign legally binding documents today without understanding their alternate intent.

A major problem, as I see it, is in the hardware architecture of our machines, where we freely intermingle code and data.

Just feed the computer one "computational illusion" that snarls the CPU out of "code sync" and we find ourselves executing DATA. This data, of course, can be crafted that when executed can instruct the machine to perform damn near any arbitrary function.

Some of the "earlier" eh... "more primitive" ( tongue in cheek ) machines I have worked with used the "Harvard Architecture" which had completely different areas for code space and data space. You could NOT access code space without going through some rather elaborate procedures; in my case it involved a completely different physical drive which had connections to the processor to access code space.

One was free to do ANYTHING in data space. There was simply no hardware to allow data to modify code. If you needed to install an executable, you really had to go out of your way to do it, as the machine itself flat could not.

Personally, I question why these machines that freely intermingle code and data in the same address space can ever be trusted in public usage. Its like dealing with people who are known to obey whatever anyone tells them to do, irregardless of what YOU told them to do.

What concerns me a lot is that large businesses appear to be abandoning older ( yet extremely secure ) systems and migrating to inexpensive insecure stuff simply because they can get dime-a-dozen "certified" personnel streaming in masse from business schools. These people often have very little training in computer science and mostly know only how to install and configure a very specific OS. About as useful as used-car salesmen ( albeit they ARE useful to people who own used car lots!). And there's a helluva difference between a used-car salesman and a good seasoned mechanic.

It seems all of America as I know it is in some sort of "Teach to the Test" kind of mode where the only knowledge deemed worthy of teaching is only that which some employment model deems as important. Knowledge outside of the "rut" others want us in is verboten, and forbidden by law, which ( of course ) the bad guys pay no attention to anyway, leaving the "good guys" as defenseless as sheep amongst wolves.

All this is coming back to bite us. Instead of solving our problems intelligently and arranging the laws of physics to achieve our desires, we must beg our congressmen to wave their pens at our adversaries and pass law. When will we learn that no law crafted by men can save us from our own ignorance?

would this work?

[dlc3007]

For faster/easier protection, would it be effective to tar/rar/zip the files up? I'm thinking specifically for the non-tech friends of mine that I was warning.

Re:would this work?

[Feebleminded_Genius]

Nope.

Nyxem/Blackmal/Kama Sutra hits .zip & .rar.

http://www.f-secure.com/v-descs/nyxem_e.shtml

Re:Clue About How To Detect Whether You're Infecte

[M1FCJ]

For quite some time...

You can use any bash version available for Windows. Cygwin Bash to start with but not excluding GNU Bash or many alternatives you can find from google (the one I linked is the first one from Google search for "Windows Bash").

Re:The OS is working as intended -- vulnerably

[99BottlesOfBeerInMyF]

They can't hide that they are apps. Windows will warn you that it's an app, and tell you not to run it.

Is this true for XP-SP2 now? The last time I tried running a new program by double clicking on it, I was given no warning that it was not data or that it was the first time this program was run. Is this fixed in all the older versions of Windows as well, because frankly not having this warning is a huge UI failure and vulnerability.

You don't need to run as an admin to run Windows. We have hundreds of computers in the department which users do not have admin access on.

This is true, if you just want to run a few, particular programs, and they are the right programs. This is not true in general. I've tried running as a non-admin as have several other employees here. We could not do our jobs. Too much software requires you to be admin to run. This includes software from MS. Basically, running as a non admin makes getting anything done very, very hard. You can't install most applications, can't run some applications and run into situations where you need the admin password about once a week. Our sysadmin gave up on the idea after about 10 days.

Besides, if your e-mail client saying "Warning, this could be a virus don't run it" and then your OS saying "Warning this oculd be a virus don't run it" isn't enough, changing the OK to a password field isn't going to do any good.

I see you fail to understand layers of privilege or UI design. First presenting a cancel/OK dialogue in Windows is utterly useless most of the time. This is because most of them are written in techno-babble and so many are presented that the average user just stops paying attention and starts clicking OK reflexively. It is simply one of the stupidest UI designs ever. Users should be presented with dialogues only upon rare occasions. They should be in clear English (or whatever language). They should have buttons that actually describe something useful like, "I trust this program and want it to be able to do anything to my computer" and "I don't trust this, don't let it do anything." Of course, in practice that layer of privilege is unworkable. What is really needed is the ability to run programs in a sandbox and grant them privileges as needed, i.e. "Run this program but don't let it use the internet, alter my OS, or touch my files." Asking for a password to do privileged actions works very well, provided users are not constantly asked for a password and provided that they have the control they need to grant some privileges instead of all.

This particular virus is basically a trojan. It works because most Windows systems do not inform the user when they are running a program instead of opening data. It works because they are not warned when a program wants to do something unusual. How often do you want to download a program, or get it via e-mail and you want that program to be able to edit your personal files? The answer is so rarely it makes a lot of sense to make the default behavior restrict it from that action, and let it ask if it wants to edit them. That would have stopped this virus dead. A good UI, a workable non-admin account, and good default permissions are what it takes to stop 99% of these viruses. Until that happens, blaming users is premature. They are not given the tools and options they need.

Any word yet...

[PulledPorkNacho]

from Australia? Could be that we could figure out how bad this might be

Alice and Pictures

[SeanDuggan]

From Article: "So while you might think it is coming from cousin Alice, most likely cousin Alice is not going to send you something that says 'Hey look at these pictures with naked people.' So that should be your first clue that a virus is propagating and you'd be well served to call cousin Alice to let her know that she is [unknowingly] sending out this type of e-mail," Sergile said.
But cousin Alice sends me pictures like that all the time. Don't believe me? Go ask Alice.

But seriously though, incidents like this make me wonder whether we're doing the human race a disfavor by trying to protect all of these stupid people. If someone is going to click on random porn links, especially ones sent by unusual sources, maybe they deserve to have their computer ruined? I mean, we're not exactly talking about your grandma. Ok, well maybe your grandma, but somehow I don't suspect either of mine would click on such a link.

Re:Alice and Pictures

[Verminator]

I mean, we're not exactly talking about your grandma. Ok, well maybe your grandma, but somehow I don't suspect either of mine would click on such a link.

Mine wouldn't either. But then again, they're both dead.

Hmmm. Deceased = can't get the worm. Ironic.

Maybe I'm onto something here...

Re:Will be a good thing

[daigu]

Any company that has to file a quarterly report or that would bother spending the rest of forever with accountants doesn't track their finances in file formats subject to virus infections or worms.

I agree with the main point of your post that a virus or worm that is undetected and subtle is more deangerous. A virus like this one that attacks common file formats could also bring an organization to its knees. However, many mission critical applications - such as finances - are kept in seperate systems that are not as open to this kind of attack.

"Really damage" my machine?

[Captain+Spam]

"This is a really damaging worm. This is not one of those worms that is interested in having access to your machine for purposes later on. This worm will really damage your machine," Georgia Tech's Furst said.

It'll really damage my machine? What, it'll grab an ice pick and start stabbing the motherboard? It'll jam a soldering iron into the processor? Maybe take a hacksaw to the hard drive?

Somehow, I'm a bit more concerned about worms that ARE interested in having access to my machine for purposes later on. Thrashing my data? Pshaw. I've got backups for that, and if it only triggers once a year, double pshaw. Keylogging? Packet sniffing? Extracting personal data to defraud me out in the real world? Using my computer to conduct attacks on other computers, leaving the blame to me? I consider those a wee bit more dangerous than something that will just "really damage" my machine.

Re:Clue About How To Detect Whether You're Infecte

[andreyw]

Script above is not a /bin/bash script, you tool.

Re:No patch!!!! WTF

[99BottlesOfBeerInMyF]

I wouldn't call it a Microsoft insecurity issue, but a stupid user issue.

I disagree. Stupid users can be the weak link, but at this point, they aren't there yet. A whole lot could be done to mitigate these types of viruses by the OS that is not done. Give the users good tools and if they still screw up you can complain.

The user has to install it for it to work, the user actually has to be involved and allow it onto their box.

This is true, but most Windows OS's don't do a reasonable job of distinguishing data and programs. Even those that do, use very poorly designed UI's to do so.

The same type issue can be had for a Linux box and you don't even have to be a root user to be affected; someone emails you unknown app and like these windows dumbasses you run it can wack all of the Openoffice documents you have been using to write your disertation for the past year is gone.

Perhaps for some brain-dead Linux distros this is true. In general, however, Linux makes it a lot harder to disguise programs as data (no hidden extensions). They also require the user to explicitly make a downloaded program executable (no double click and it runs). Also, most Linux machines have a workable non-admin account and use it as a default. This means the virus cannot disable the virus protection, as this one does. Finally, a few more secure Linux distributions run programs in virtual servers, requiring the user to explicitly grant it the ability to modify the user's files.

A stupid user is stupid user

And yet, that stupid user running the average Linux or OS X distribution would not have had a problem.

Windows needs to be fixed. It is under siege and still does not implement security even as good as most Linux or OS X boxes. What they should be doing is implementing better security, not worse. When a user gets a program via e-mail, the attachment should be labeled as such, explicitly. To run any new application the user should have to explicitly agree. This does not mean give them an OK/Cancel dialogue. The UI throws so many techno-babble OK/Cancel dialogues at the average user they are conditioned to click OK to everything. They should be given real choices like "I trust this program, run it" and "Don't run this program." Even when run, the program should default to executing in a sandbox environment, with no access to the internet or to read/write any user-space files. It should be able to read necessary system files, but not write them. It should not be able to change existing DLLs. If the program tries to do any of these things, the user should be informed in plain English and given the opportunity to enable the program to do so. Think, "This program wants to read your e-mail address book (allow it to read your addresses)(Don't let it read your addresses). This program wants to access the internet in a way normally used by mail programs (allow it to send e-mail)(prevent it from sending e-mail)." Windows should install a non-admin account by default and use that as the user's normal login account, thus an additional password would be required to disable the anti-virus.

All of these abilities can be set up today with existing OS's and a company the size of MS should be able to have them working in a few month's time. It is easy to blame the user, but the user has to work with the tools he has. Sure maybe they clicked "OK" but they've already had to click it 50 times today just to do their normal work. After a while, you can't expect everyone to pay attention. I call upon MS to write a more secure OS, with a workable GUI. Until they do so, I call upon everyone here to stop cutting them slack for what "dumb users" do. They are not the weak link here. Not yet, by a long shot. You should not have to be a computer expert to use a tool designed for non-experts. Both Current and older versions of Windows need a lot of work. After it is done, then user education is needed, but until that time it is just not going to work.

What me worry ?

[Hymer]

...one computer is a Apple PowerBook running Mac OS X and the other is a IBM ThinkPad running SuSE Linux...
I do however expect to make a lot of money the next 3 - 5 days. :-D
--
What was the goal of DARPA net ? share information between different platforms.

Re:Will be a good thing

[Metrol]

May I ask what you define as a super destructive virus?

If it infected my FreeBSD desktop and wiped out my text and OpenOffice files. Now THAT would be devestating!

OTOH, if it's just Windows... eh, not that big a deal. Must be a perspective thing :)

Re:Best explanation ever:

[Overly+Critical+Guy]

If almost everybody in the world drove Fords, and Fords were hit with major problems every month that cost companies millions of dollars in time and money, while Chevy's kept running smoothly without a hitch, would you fault Chevy drivers for mentioning that fact?

Especially if Fords were as insecure as Windows XP (still running admin accounts in the year 2006...gotta love it).

You're a moron.

[Khyber]

http://service1.symantec.com/SUPPORT/nav.nsf/docid /1999041209131106

Care to argue with Symantec on the definition?

How the hell did My above post get modded 'troll' anyways? There's your proof. Oh, need more proof?

How... http://www.webopedia.com/DidYouKnow/Internet/2004/ virus.asp
About... http://www.computer-lynx.com/a-virus-or-worm.htm
THIS??? http://expertanswercenter.techtarget.com/eac/knowl edgebaseAnswer/0,295199,sid63_gci980535,00.html

Someone needs to go back to computer pre-school. I knew the difference in those 15 years ago, when I was 8. Tool.

Re:You're a moron.

[Khyber]

Fun. 50% informative, 50% flamebait. I give a correct answer to someone's blatant ignorance and what happens, I get modded "flamebait?" I can see half of slashdot must be on the pipe today.

Re:You're a moron.

[Khyber]

Dumbass, you only read ONE link. Even then, you even then only read HALF of the fucking page. Scroll further down, tool. In fact, you didn't even bother looking at the Symantec link (first one) so I'm going to repost it for you, since it gives the specific facts and pieces of info. You must've not read my entire post for that matter, or you'd have seen the Symantec link from the fucking beginning.) So here, for your pleasure, is the link again.

http://service1.symantec.com/SUPPORT/nav.nsf/docid /1999041209131106 Read, enjoy, and go back to preschool for making yourself look like a crackhead on the internet, and giving everyone here a good laugh.

You know why I blast the editors? BECAUSE THEY SHOULD BE TECHNICALLY KNOWLEDGABLE ENOUGH TO UNDERSTAND THE FUCKING DIFFERENCE IF THEY'RE GOING TO PUT ARTICLES ON THE FRONT FUCKING PAGE, AND GET IT WORDED PROPERLY! Is it too hard, in a world where education has taken a back seat, that we at least try to preserve the shattered remains of the integrity of our fouled and abused language, at least WRITTEN LANGUAGE? You want to look in a class history book in ten years and read somewhere in a paragraph, "OMFG, hitler was such a n00b. He k1ll3d so many J3ws and then got his @$$ pwnt," or would you rather prefer something intelligible, like "Hitler was a German dictator that killed millions of innocent Jewish people, solely because of their ethnicity and religion?"

Tool.

That's it, I quit

[gelfling]

I metculously setup my homeLAN machines at home as well as my college student's machines to have firewalls and spyware scanners and AV scanners as well as resident scanners. I have the routers set up to deflect everything they are able. I turn off services I know are a problem, I have resident scanners for email, web, p2p, IM, the works. I run hijack and rootkit testers on all the clients and set up the machines to flush all their tempfiles and browser caches on shutdown. I have hostfiles locked.

And just watched someone look at an AV scanner popup with colors and flashing lights that it captured a bug - what do you want to do with it? And this person couldn't cancel it, ignore it fast enough.

I quit. People are morons.

That's good news isn't it...

[guruevi]

Tomorrow I will have a job!!!

I am currently looking for a job (if you know someone -> evi@valerieandevi.be) and freelancing on the side. Tomorrow will be a great day for me... all of a sudden hundreds of company's begging me to come in to fix them and restore the backups they don't have.

NO I DIDN'T CREATE THE VIRII [sic] but I can think wishfully can't I?

can I

[towsonu2003]

install this using wine?

Re:Best explanation ever:

[dgatwood]

They provide protection from the plethora of Microsoft Office macro viruses that are out there, a few of which actually affect Macs as well (though most don't).

I don't know that I'd trust sans.org for much...

[andreMA]

They seem to find

<span class="diff">
</li></ol>
<h3>Snort Signatures
</span><br />
<span class="diff"&gt
;</h3>Joe Stewart (Lurhq.com) provided [...] of the worm:
</span><br />
<span class="diff">

and the like acceptable. While asserting html4/strict.dtd - best laugh I've had this week. If they can't master basic HTML (straddling a /H3 with a SPAN?!?!) it they probably shouldn't be allowed to run a webserver, let alone attempt to advise people on security matters.

Thanks Kama Sutra!

[StikyPad]

I, for one, can't wait to get home and see if all my files have been deleted. I've been running low on disk space, but I've been too lazy to delete old data myself. Thanks, Kama Sutra! You saved the day.

Re:The OS is working as intended -- vulnerably

[drsmithy]

But appliations in emails should not be able to hide the fact that they are applications.

They can't. When you try and open attachments you get a dialog that tells you it's a bad idea and the default response set to "Don't Open". Applications should not be able to edit the registry without warning the user.

How is the OS supposed to tell the difference between a legitimate registry change and a malicious one ?

Users should not need to run as Administrator to make their computers work properly.

I agree. Blame the people who are writing software that does, it's their fault.

The registry is itself pretty sucktastic as far as security design goes.

Bollocks. The Registry has per-user ACLs on each key. It's got a better "security model" than most OSes.

Correct me if I'm wrong, but....

[d474]

...isn't this the kind of threat that forced the government to put SkyNet online?
*tinfoil head dress*, "ON!!".

Re:The OS is working as intended -- vulnerably

[JetTredmont]

How is the OS supposed to tell the difference between a legitimate registry change and a malicious one ?

Good question. Frankly, that's a primary reason why the Registry is a near-complete design failure.

Here's some guidelines:

Preference data that is specific to a particular application should be able to be changed by that application whenever it wants to. Sensible OSs tend to do this by having separate files which hold per-app data, but there's nothing inherently wrong with a database model which keeps Windows from using this type of model. Moreover, this should not EVER require "admin" privileges, although one might want a "kiosk" class of user which prohibits even this.

Preference data which modifies system behavior should require direct and specific user approval. Not many OSs get this right, although most do a better job than Windows.

Preference data which modifies OTHER apps should not be allowed, except with the "permission" of the other app (allowing for config utilities and plugins). Nice ideal, but generally I don't see that implemented anywhere. The failback SHOULD be to treat other apps just like system data, but generally OSs tend to treat other-app prefs the same as this-app prefs for convenience.

I agree. Blame the people who are writing software that does, it's their fault.

In my experience, the general reason apps require Administrator privileges to run is that they want to be able to modify the Registry. See above. Generally, these changes are of the first nature (remember what the user had set for preferences, etc). Many times, only a small subset of what an application does will require Admin privileges, but as there is no escalation procedure in the OS, they have to require Admin privileges from the outset, or not provide those utilities at all.

Which, yes, sucks for the user. But blaming it on the app writer instead of acknowledging that it stems from poor OS design is just plain silly. While programmers and designers do tend to be lazy, it's hard to believe that thousands of separate developers all chose to be lazy around the same central issue without an underlying problem there. It's like getting reports of all your users clicking the wrong button and determining that the button's not poorly designed; you just need smarter users.

Re:Best explanation ever:

[toddestan]

but Macs have been impervious to every big, newsworthy Windows virus in the past five years.

Well, of course they are. That's why they are called Windows viruses.

Wait! This just in: Windows is impervious to Linux rootkits.

"now would be a good time to..."

[Shaddup]

...switch to a system that doesn't have such horrible security.

Re:The OS is working as intended -- vulnerably

[drsmithy]

Good question. Frankly, that's a primary reason why the Registry is a near-complete design failure.

I'm not quite sure I follow. About the only qustionable design aspect of the Registry is the usage of a solely binary-file backend (which, when you consider it was conceived back around the 1990-93 timeframe, is quite justfiable).

Preference data that is specific to a particular application should be able to be changed by that application whenever it wants to.

Within the context of the user, yes.

Sensible OSs tend to do this by having separate files which hold per-app data, but there's nothing inherently wrong with a database model which keeps Windows from using this type of model.

Windows[0] does this with per-user, per-application Registry keys. Or, basically, the equivalent of ~/.<application> directories in unix. There are also system-wide application Registry keys, the equivalent of /etc/<application> in unix.

Moreover, this should not EVER require "admin" privileges, although one might want a "kiosk" class of user which prohibits even this.

If an application developer doesn't use the per-user Registry locations and instead chooses to use the system-wide Registry and _assumes_ that the user will be running as Administrator and able to modify it, then there's not much Windows can do about it, nor is there any blame that lies in the hands of Microsoft.

Preference data which modifies system behavior should require direct and specific user approval. Not many OSs get this right, although most do a better job than Windows.

This is all very hand-wavy, so it's nearly impossible to respond. However, am I right in assuming that a) regular users shouldn't be able to modify system-wide defaults and b) even for users that have the privileges to do so, they should be bombarded with "Are you sure" dialogs at every turn ?

Preference data which modifies OTHER apps should not be allowed, except with the "permission" of the other app (allowing for config utilities and plugins). Nice ideal, but generally I don't see that implemented anywhere. The failback SHOULD be to treat other apps just like system data, but generally OSs tend to treat other-app prefs the same as this-app prefs for convenience.

I'm not really sure what you mean by "preference data". I'm assuming you mean that for application A to make any changes to application B's configuration data, then application A must register with, and have the approval of, application B.

I hope you can see why this would make a general purpose editor (ie: RegEdit) completely unworkable and would seriously hinder - if not make impossible - troubleshooting and recovery.

In my experience, the general reason apps require Administrator privileges to run is that they want to be able to modify the Registry.

More specifically, they want to edit the *system-wide* Registry that, by default, only high-privilege users may do. These applications are broken, and should be using the per-user Registry hives.

See above.

Your apparent assumption (that the Registry is a monolithic entity with no permissions capabilities or user/applicaiton/system separation) is wrong. Hence, so are your conclusions.

Generally, these changes are of the first nature (remember what the user had set for preferences, etc). Many times, only a small subset of what an application does will require Admin privileges, but as there is no escalation procedure in the OS, they have to require Admin privileges from the outset, or not provide those utilities at all.

Firstly, there are "escalation procedures" in the OS.

Secondly, these applications are broken because they are trying to write to the wrong part of the Registry, that they do not (nor should) have permissions to modify. It is analagous to a random unix user's application trying to modify parts of /etc, rather than using ~ like it s

Re:Best explanation ever:

[nolife]

Your comment has absolutely nothing to do my reply or the quote I replied to.

Mirror and external disk.

[jotaeleemeese]

I mirror my disk and then once in a while (once a month or so) I copy data I consider important to an external drive which is locked under key.

The only way I would lose my personal data is if there was a catastrpophic problem, in which case data integrity of my family photos and video would be the least important of my concerns.

Of course there could be a patch

[Sloppy]

There's an inconsistency in the article.

Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no "patch" that can be downloaded to ward off Kama Sutra.

But earlier, it says this:

With the Kama Sutra worm, this is a traditional style worm, meaning that it takes user interaction in order to become infected; someone has to double click on a file attachment

In other words, this crap spreads by extremely poor UI. Think about it: a mailreader that lets a user run hostile software embedded in a message by clicking on it?! Holy crap. Why would anyone build such capability into an email client? No reason at all. The patch is to remove this incredibly stupid functionality which someone originally went to extra trouble to add to the email client.

If it is possible for you to get your email client to execute attachments, then your email client is defective. Patch it or replace it.